Big Businesses Walloped With Climbing Cybercrime Costs

In just two years the number of successful cyberattacks has doubled, said Michael Callahan, vice president for product and solution marketing for HP Enterprise Security. "You might expect the number of attacks to increase with the proliferation of botnets, but it's amazing that so many are successful, given the amount of attention that's being paid to security."

By John P. Mello Jr.
10/08/12 5:00 AM PT

Cybercrime costs continued to climb in 2012 according to a report released Monday by the
Ponemon Institute.

The study of 56 large organizations showed that the average annualized cost of cybercrime for the businesses was US$8.9 million a year compared to $8.4 million a year ago. Losses for the firms ranged from one $1.4 million to $46 million.

Cyberattacks have become common occurrences, said the study. On a weekly basis, the businesses in the study were subjected to 102 successful attacks per week, or 1.8 successful attacks per company per week.

Double Frequency

"In just two years the number of successful attacks has doubled, which is pretty incredible when you think about it," Michael Callahan, vice president for product and solution marketing for HP Enterprise Security, which sponsored the study, told TechNewsWorld.

"You might expect the number of attacks to increase with the proliferation of botnets but it's amazing that so many are successful, given the amount of attention that's being paid to security," he said.

One reason for the increase in successful attacks may be the sophistication of the attackers, according to Larry Ponemon, founder and chairman or the Ponemon Institute. "Some of the attacks have become much more complex to identify, much more stealthy," he told TechNewsWorld.

In addition, malicious insider attacks are occurring more frequently, he added. "Malicious insiders, working with external parties, can cause enormous amounts of damage and when they're detected, they're hard to contain and remediate."

Hackers Attack White House

A spear-phishing attack on a White House computer network that did not contain classified information came to light last week. "These types of attacks are not infrequent and we have mitigation measures in place," an unnamed White House official was quoted as saying.

"In this instance the attack was identified, the system was isolated, and there is no indication whatsoever that any exfiltration of data took place," the official continued. "Moreover, there was never any impact or attempted breach of any classified system."

News of the attack broke on Sep. 30 when the Washington FreeBeacon, a conservative online news outlet, reported that hackers linked to the Chinese government broke into a computer network used by the White House military office for nuclear commands.

Citing an official familiar with the incident, the FreeBeacon maintained that the breach was one of China's "most brazen cyberattacks against the United States and highlights a failure of the Obama administration to press China on its persistent cyberattacks."

It's going to get worse, he contended. "There are hundreds of thousands of fledgling keyboard hawks now being groomed by the Chinese government to break into systems," he said.

Scareware Crackdown

A major international crackdown on scareware scammers was launched last week by the U.S. Federal Trade Commission. The agency targeted six companies in India selling phony technical support services to English-speaking countries, including the United States, Canada, Australia, Ireland, New Zealand and the United Kingdom.

According to the FTC, some of the scammers cold-called consumers posing as representatives from legitimate companies, such as Dell, Microsoft, McAfee and Symantec. They told the consumers that malware had been detected on their computers and then offered to remove it for fees ranging from $49-$450.

In addition to the "boiler room" tactic used by five of the firms, a sixth used ads placed on Google search pages to sell their bogus services.

To elude scam fighters, the phony malware removers used 80 different domain names and 130 different phone numbers, the FTC said.

"The FTC has been aggressive -- and successful -- in its pursuit of tech-support scams," FTC Chairman Jon Leibowitz said in a statement. "And the tech-support scam artists we are talking about today have taken scareware to a whole other level of virtual mayhem."

Breach Diary

Oct. 1: McAfee and the National Cyber Security Alliance released survey in which
26 percent of Americans say they've been told that their personal information may have been exposed by a data breach.

Oct. 1: California attorney general announces that Blue Cross of California
agrees to pay $150,000 to settle lawsuits resulting from data breach that compromised the personal healthcare information of 33,756 of its members.

Oct. 2: Cybersecurity company Prolexic
reports that widespread DDoS attacks on U.S. financial institutions in September were powered by a toolkit called "itsoknoproblembro." According to the company, use of the tool in conjunction with sophisticated attack methods shows that the attackers are familiar with common DDoS mitigation methods.

Oct. 3: Web security firm Blue Colt
reports that malicious botnets have increased 200 percent in the last six months. It also predicted that two thirds of all malicious cyberattacks this year will be perpetrated by such malnets.

Oct. 3: Researchers at Trusteer
reveal new type of Man-in-the-Browser attack that is website independent. According to the researchers, the new form of attack speeds up how data is stolen and allow cybercriminals to inflict more damage before they're discovered.

Oct. 3: Computerworld
reports a hacker group calling itself Team GhostShell breached the servers of more than 100 major universities around the world and published 120,000 records from those computers on the Internet. Hackers said their action was aimed at focusing attention on failing education standards around the world.